Going passwordless: Q&A with Microsoft’s CVP of security, Vasu Jakkal

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Just two weeks ago, Microsoft, Apple and Google unveiled plans to expand support for the common passwordless sign-in standard created by the FIDO Alliance and offer passwordless login options to billions of users so they can login with their fingerprint, face or. Device PIN.

Since the announcement, there has been a lot of speculation about how the world of passwordless authentication will be compared to the era of password-based authentication, with some critics suggesting that FIDO is focusing on “completely killing passwords”.

For security teams, the idea of ​​password elimination is a lucrative one, as it prevents cybercriminals from being able to harvest passwords and login credentials, and reduces the risk of data breaches from phishing scams, brute force hacks and business email compromises.

VentureBeat recently spoke with Vasu Jakkal, CVP Security, Compliance, Identity and Privacy at Microsoft, who are leading the organization’s push for passwordless authentication options as part of the FIDO alliance to find out what the future holds for password-free enterprise security and how. There are dangerous actors. Adaptation is likely to occur.

Below is an edited transcript of the interview.

VentureBeat: Why is FIDO Connection moving away from password-based security?

Jakkal: Weak passwords are the entry point for most attacks in enterprise consumer accounts. Last year, Microsoft discovered that 579 password attacks occur every second. In just one year, that number has risen to 921 per second – 79.3 million daily attacks.

In a survey we recently launched, about one-third of people said they would completely stop using an account or service instead of dealing with a lost password.

They are unsafe and burdensome for both individuals and businesses. That’s why we encourage people to go passwordless to their Microsoft account and use a passwordless login wherever possible.

VentureBeat: What are the main advantages of passwordless authentication solutions?

Jakkal: Passwordless authentication solutions provide customers with a more secure, easy and quick way to authenticate their account. Instead of keeping attackers out, weak passwords often provide access. Using and reusing simple passwords in different accounts can make our online life easier, but it also keeps the door open.

Attackers regularly scroll through social media accounts in search of birthdates, vacation spots, pet names and other personal information that they know people use to create easy-to-remember passwords.

Our survey found that 68% of people use the same password for different accounts, putting you at greater risk.

For example, once a password and email combination is compromised, it is often sold on the Dark Web for use in additional attacks. As my friend Brett Arsenalt, our chief information security officer at Microsoft here, prefers to say, “Hackers don’t break, they log in.”

VentureBeat: Do passwordless organizations still need to worry about business email compromises and phishing threats?

Jakkal: The passwordless methods that Microsoft recommends, such as Windows Hello and other FIDO credentials, are designed to be phishing resistant. They use cryptography to exchange keys and bind to hardware. This makes the chances of BEC and phishing threats almost anything less.

You can learn more about the feasibility of different methods from our security researchers here: All your credit is ours! – Microsoft Tech Community

VentureBeat: How do you expect cybercriminals to change their tactics as passwordless solutions are adopted?

Jakkal: Only password-accounts remain an attractive target for cybercriminals – it’s still the cheapest attack at $ 0.97 per 1,000, as reported in our Microsoft Digital Defense report. We expect password attacks to continue for a while, but we’re always looking forward to where the next set of attacks might come from.

One area we’ve been researching since the beginning of our password-free journey is the risk of session token theft. We launched new inventions last fall to help protect against token theft.

We are also actively working with standard bodies to develop security protocols to protect user sessions so that they can minimize the risk of compromise after logging in. Microsoft’s Pam Dingle will speak at the RSA conference.

VentureBeat: Are there any security risks posed by Passwordless Solutions that organizations should be aware of?

Jakkal: From a security perspective, Windows Hello, FIDO credentials and smartcards are incredibly difficult to crack. That said, we recommend that customers use a zero-trust mentality of “valid breach” because you can never guarantee 100% security.

Some areas that some organizations should be aware of are the issuance and retrieval of passwordless credentials.

Temporary Access Pass is one of the solutions we’ve developed to help with the initial setup or recovery of an account so that customers can be secure and password free at all times.

VentureBeat: Do you have any advice for security teams who want to start implementing passwordless authentication in their organization? (Any tips on security / management of passwordless environment?)

Jakkal: Yes, check out our helpful resources in this blog, including the Deployment Guide and the session with our CISO and CO on how we implemented Passwordless at Microsoft: 3 Key Resources to Accelerate Your Passwordless Travel – Microsoft Security Blog. You can also see our latest customer stories here.

Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.